cbmc/single__path__symex__checker_8cpp_source.html

 /*******************************************************************\


 Module: Goto Checker using Single Path Symbolic Execution


 Author: Daniel Kroening, Peter Schrammel


 \*******************************************************************/


 #include "single_path_symex_checker.h"


 #include <util/ui_message.h>


 #include "bmc_util.h"

 #include "counterexample_beautification.h"

 #include "symex_bmc.h"


 single_path_symex_checkert::single_path_symex_checkert(

   const optionst &options,

   ui_message_handlert &ui_message_handler,

   abstract_goto_modelt &goto_model)

   : single_path_symex_only_checkert(options, ui_message_handler, goto_model)

 {

 }


 incremental_goto_checkert::resultt single_path_symex_checkert::

 operator()(propertiest &properties)

 {

   resultt result(resultt::progresst::DONE);


   // There might be more solutions from the previous equation.

   if(property_decider)

   {

     run_property_decider(

       result, properties, *property_decider, std::chrono::duration<double>(0));


     if(result.progress == resultt::progresst::FOUND_FAIL)

       return result;

   }


   if(!worklist->empty())

   {

     // We pop the item processed in the previous iteration.

     worklist->pop();

   }


   if(!symex_initialized)

   {

     symex_initialized = true;


     initialize_worklist();

   }


   while(!has_finished_exploration(properties))

   {

     path_storaget::patht &path = worklist->peek();

     const bool ready_to_decide = resume_path(path);


     if(ready_to_decide)

     {

       update_properties(properties, result.updated_properties, path.equation);


       property_decider = std::make_unique<goto_symex_property_decidert>(

         options, ui_message_handler, path.equation, ns);


       const auto solver_runtime =

         prepare_property_decider(properties, path.equation, *property_decider);


       run_property_decider(

         result, properties, *property_decider, solver_runtime);


       if(result.progress == resultt::progresst::FOUND_FAIL)

         return result;

     }


     // leave the last worklist item in place for the benefit of output_proof

     if(worklist->size() == 1)

       break;


     worklist->pop();

   }


   log.statistics() << "Runtime Symex: " << symex_runtime.count() << "s"

                    << messaget::eom;


   final_update_properties(properties, result.updated_properties);


   // Worklist just has the last element left: we are done.

   return result;

 }


 bool single_path_symex_checkert::is_ready_to_decide(

   const symex_bmct &symex,

   const path_storaget::patht &)

 {

   return symex.get_remaining_vccs() > 0;

 }


 std::chrono::duration<double>

 single_path_symex_checkert::prepare_property_decider(

   propertiest &properties,

   symex_target_equationt &equation,

   goto_symex_property_decidert &property_decider)

 {

   std::chrono::duration<double> solver_runtime = ::prepare_property_decider(

     properties, equation, property_decider, ui_message_handler);


   return solver_runtime;

 }


 void single_path_symex_checkert::run_property_decider(

   incremental_goto_checkert::resultt &result,

   propertiest &properties,

   goto_symex_property_decidert &property_decider,

   std::chrono::duration<double> solver_runtime)

 {

   ::run_property_decider(

     result,

     properties,

     property_decider,

     ui_message_handler,

     solver_runtime,

     false);

 }


 goto_tracet single_path_symex_checkert::build_full_trace() const

 {

   goto_tracet goto_trace;

   build_goto_trace(

     property_decider->get_equation(),

     property_decider->get_equation().SSA_steps.end(),

     property_decider->get_decision_procedure(),

     ns,

     goto_trace);


   return goto_trace;

 }


 goto_tracet single_path_symex_checkert::build_shortest_trace() const

 {

   if(options.get_bool_option("beautify"))

   {

     // NOLINTNEXTLINE(whitespace/braces)

     counterexample_beautificationt{ui_message_handler}(

       property_decider->get_boolbv_decision_procedure(),

       property_decider->get_equation());

   }


   goto_tracet goto_trace;

   build_goto_trace(

     property_decider->get_equation(),

     property_decider->get_decision_procedure(),

     ns,

     goto_trace);


   return goto_trace;

 }


 goto_tracet

 single_path_symex_checkert::build_trace(const irep_idt &property_id) const

 {

   goto_tracet goto_trace;

   build_goto_trace(

     property_decider->get_equation(),

     ssa_step_matches_failing_property(property_id),

     property_decider->get_decision_procedure(),

     ns,

     goto_trace);


   return goto_trace;

 }


 const namespacet &single_path_symex_checkert::get_namespace() const

 {

   return ns;

 }


 void single_path_symex_checkert::output_error_witness(

   const goto_tracet &goto_trace)

 {

   output_graphml(goto_trace, ns, options);

 }


 void single_path_symex_checkert::output_proof()

 {

   // This is incorrect, but the best we can do at the moment.

   // operator()(propertiest &properties) leaves in place the last worklist item

   // just for this purpose.

   const path_storaget::patht &resume = worklist->peek();

   output_graphml(resume.equation, ns, options);

 }

ssa_step_matches_failing_property
ssa_step_predicatet ssa_step_matches_failing_property(const irep_idt &property_id)
Returns a function that checks whether an SSA step is an assertion with property_id.
Definition: bmc_util.cpp:54

output_graphml
void output_graphml(const goto_tracet &goto_trace, const namespacet &ns, const optionst &options)
outputs an error witness in graphml format
Definition: bmc_util.cpp:107

bmc_util.h
Bounded Model Checking Utilities.

build_goto_trace
void build_goto_trace(const symex_target_equationt &target, ssa_step_predicatet is_last_step_to_keep, const decision_proceduret &decision_procedure, const namespacet &ns, goto_tracet &goto_trace)
Build a trace by going through the steps of target and stopping after the step matching a given condi...
Definition: build_goto_trace.cpp:207

abstract_goto_modelt
Abstract interface to eager or lazy GOTO models.
Definition: abstract_goto_model.h:22

counterexample_beautificationt
Definition: counterexample_beautification.h:20

dstringt
dstringt has one field, an unsigned integer no which is an index into a static table of strings.
Definition: dstring.h:38

goto_symex_property_decidert
Provides management of goal variables that encode properties.
Definition: goto_symex_property_decider.h:24

goto_symext::get_remaining_vccs
unsigned get_remaining_vccs() const
Definition: goto_symex.h:851

goto_tracet
Trace of a GOTO program.
Definition: goto_trace.h:177

incremental_goto_checkert::log
messaget log
Definition: incremental_goto_checker.h:93

incremental_goto_checkert::options
const optionst & options
Definition: incremental_goto_checker.h:91

incremental_goto_checkert::ui_message_handler
ui_message_handlert & ui_message_handler
Definition: incremental_goto_checker.h:92

messaget::statistics
mstreamt & statistics() const
Definition: message.h:411

messaget::eom
static eomt eom
Definition: message.h:289

namespacet
A namespacet is essentially one or two symbol tables bound together, to allow for symbol lookups in t...
Definition: namespace.h:94

optionst
Definition: options.h:23

optionst::get_bool_option
bool get_bool_option(const std::string &option) const
Definition: options.cpp:44

single_path_symex_checkert::build_trace
goto_tracet build_trace(const irep_idt &) const override
Builds and returns the trace for the FAILed property with the given property_id.
Definition: single_path_symex_checker.cpp:162

single_path_symex_checkert::symex_initialized
bool symex_initialized
Definition: single_path_symex_checker.h:45

single_path_symex_checkert::output_proof
void output_proof() override
Definition: single_path_symex_checker.cpp:186

single_path_symex_checkert::single_path_symex_checkert
single_path_symex_checkert(const optionst &options, ui_message_handlert &ui_message_handler, abstract_goto_modelt &goto_model)
Definition: single_path_symex_checker.cpp:20

single_path_symex_checkert::get_namespace
const namespacet & get_namespace() const override
Returns the namespace associated with the traces.
Definition: single_path_symex_checker.cpp:175

single_path_symex_checkert::property_decider
std::unique_ptr< goto_symex_property_decidert > property_decider
Definition: single_path_symex_checker.h:46

single_path_symex_checkert::prepare_property_decider
virtual std::chrono::duration< double > prepare_property_decider(propertiest &properties, symex_target_equationt &equation, goto_symex_property_decidert &property_decider)
Prepare the property_decider for solving.
Definition: single_path_symex_checker.cpp:102

single_path_symex_checkert::build_full_trace
goto_tracet build_full_trace() const override
Builds and returns the complete trace.
Definition: single_path_symex_checker.cpp:128

single_path_symex_checkert::run_property_decider
virtual void run_property_decider(incremental_goto_checkert::resultt &result, propertiest &properties, goto_symex_property_decidert &property_decider, std::chrono::duration< double > solver_runtime)
Run the property_decider, which calls the SAT solver, and set the status of checked properties accord...
Definition: single_path_symex_checker.cpp:113

single_path_symex_checkert::output_error_witness
void output_error_witness(const goto_tracet &) override
Definition: single_path_symex_checker.cpp:180

single_path_symex_checkert::build_shortest_trace
goto_tracet build_shortest_trace() const override
Builds and returns the trace up to the first failed property.
Definition: single_path_symex_checker.cpp:141

single_path_symex_checkert::operator()
resultt operator()(propertiest &) override
Check whether the given properties with status NOT_CHECKED, UNKNOWN or properties newly discovered by...
Definition: single_path_symex_checker.cpp:29

single_path_symex_checkert::is_ready_to_decide
bool is_ready_to_decide(const symex_bmct &, const path_storaget::patht &) override
Returns whether the given path produced by symex is ready to be checked.
Definition: single_path_symex_checker.cpp:94

single_path_symex_only_checkert
Uses goto-symex to generate a symex_target_equationt for each path.
Definition: single_path_symex_only_checker.h:26

single_path_symex_only_checkert::final_update_properties
virtual void final_update_properties(propertiest &properties, std::unordered_set< irep_idt > &updated_properties)
Updates the properties after having finished exploration and adds their property IDs to updated_prope...
Definition: single_path_symex_only_checker.cpp:170

single_path_symex_only_checkert::initialize_worklist
virtual void initialize_worklist()
Adds the initial goto-symex state as a path to the worklist.
Definition: single_path_symex_only_checker.cpp:63

single_path_symex_only_checkert::symex_runtime
std::chrono::duration< double > symex_runtime
Definition: single_path_symex_only_checker.h:43

single_path_symex_only_checkert::worklist
std::unique_ptr< path_storaget > worklist
Definition: single_path_symex_only_checker.h:42

single_path_symex_only_checkert::update_properties
virtual void update_properties(propertiest &properties, std::unordered_set< irep_idt > &updated_properties, const symex_target_equationt &equation)
Updates the properties from the equation and adds their property IDs to updated_properties.
Definition: single_path_symex_only_checker.cpp:158

single_path_symex_only_checkert::ns
namespacet ns
Definition: single_path_symex_only_checker.h:40

single_path_symex_only_checkert::resume_path
virtual bool resume_path(path_storaget::patht &path)
Continues exploring the given path using goto-symex.
Definition: single_path_symex_only_checker.cpp:93

single_path_symex_only_checkert::has_finished_exploration
virtual bool has_finished_exploration(const propertiest &)
Returns whether we should stop exploring paths.
Definition: single_path_symex_only_checker.cpp:85

symex_bmct
Definition: symex_bmc.h:24

symex_target_equationt
Inheriting the interface of symex_targett this class represents the SSA form of the input program as ...
Definition: symex_target_equation.h:34

ui_message_handlert
Definition: ui_message.h:22

counterexample_beautification.h
Counterexample Beautification.

propertiest
std::map< irep_idt, property_infot > propertiest
A map of property IDs to property infos.
Definition: properties.h:76

single_path_symex_checker.h
Goto Checker using Single Path Symbolic Execution.

incremental_goto_checkert::resultt
Definition: incremental_goto_checker.h:43

incremental_goto_checkert::resultt::updated_properties
std::unordered_set< irep_idt > updated_properties
Changed properties since the last call to incremental_goto_checkert::operator()
Definition: incremental_goto_checker.h:61

incremental_goto_checkert::resultt::progress
progresst progress
Definition: incremental_goto_checker.h:54

path_storaget::patht
Information saved at a conditional goto to resume execution.
Definition: path_storage.h:42

path_storaget::patht::equation
symex_target_equationt equation
Definition: path_storage.h:43

symex_bmc.h
Bounded Model Checking for ANSI-C.

ui_message.h